Integrated Assessment Record

Privacy, Security and Consent Management Training

2

Agenda

1. Introduction2. Privacy and Security Processes

• Incident Management• Consent Management • Client Privacy Rights Support• Audit Log Review • Privacy Review• User Account Management• EMPI

3. Communications 4. Awareness and Training 5. Next Steps and Reminders

3

Introduction

Purpose of Training

• Provide a thorough understanding of the privacy and security key processes that support IAR as mentioned in the Data Sharing Agreement

• Provide guidelines to implement these privacy and security processes in each HSP in compliance with privacy legislation

• Begin planning the integration of the IAR processes into your existing HSP processes

• Help you meet the IAR implementation milestones

4

5

The IAR is an application that allows assessment information to move with the client from one health service provider to another.

Health service providers (HSPs) can use the IAR to view timely client assessment information:

• electronically

• securely

• accurately

What is the Integrated Assessment Record (IAR)?

Long-Term Care Homes

Community Mental Health

Inpatient Mental Health

Others

Community Care Access Centres

Community Support Services

Addictions

6

Information Flow: Today

Your HSP

Collection

Use

Fax

Mail

Phone

Courier

Other HSPsClients

Your HSP’s privacy policy and processes

Governed and supported by:

Disclosure

7

Your HSP

CCAC

Governed and supported by:

LTCH

CMH

Disclosure

Information Flow: IAR

8

Your HSP

Collection

Use

Other HSPsClients

Disclosure

Fax

Mail

Phone

Courier

CCAC LTCH

Other CSS HSPsCMH

DisclosureDisclosure

Collection, Use and Disclosure of Assessments

9

What is Privacy?

Privacy is the right of an individual to control the collection, use and disclosure of his/her personal information.

10

Health Information Custodian

• “Health information custodian” means a person or organization (described in PHIPA) who has custody or control of Personal Health Information as a result of or in connection with performing the person’s or organization’s powers or duties or the work.

• The HSP who collects/uses/discloses the assessment is the Health Information Custodian (HIC) for the assessment – in its role as a HIC, the HSP has to fulfill their obligations as prescribed in PHIPA

Health Information Network Provider

PHIPA defines this legal term as “a person [or organization] who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.” O. Reg. 329/04, s. 6 (2).

11

12

Collection, Use and Disclosure

Privacy activities are described using three terms:

     Collect: An HSP has ‘collected’ PHI when it has gathered, acquired, received or obtained information about a client by any means from any source.

Use: An HSP ‘uses’ PHI when it handles or deals with PHI that it has collected.

Disclose: An HSP discloses PHI when it makes information in its custody available to other HSPs or to other people outside of the HSP.

13

Ontario Health Information Privacy Legislation

PHIPA – Personal Health Information Protection Act• Ontario’s privacy in healthcare legislation introduced in 2004• PHIPA is informed by the 10 privacy principles set out in the

Canadian Standards Association Model Code for the Protection of Personal Information

• The Act regulates how patients’ (or clients’) Personal Health Information is collected, used, retained, transferred, disclosed, provided access to and disposed of.

• The Act applies to a variety of organizations and individuals within the health care sector, including but not limited to, health information custodians (e.g., hospitals and health care practitioners), agents to HIC (who can be either organizations or individuals, and who are authorized to act for or on a health information custodian’s behalf), health information network provider (HINP).

141414

IAR HINP and HIC

Privacy Obligations

1515

HINP Privacy and Security Obligations

• Designate a Health Information Network Provider (HINP) Privacy Officer

• Sign the Data Sharing Agreement (DSA)

• Coordinate consent/consent directive management

• Coordinate incident management

• Coordinate the support of client’s privacy rights

• Manage user accounts in IAR

• Review IAR logs

• Perform Threat and Risk Assessment (TRA) and Privacy Impact Assessment (PIA)

• Publish privacy practices, plain language description of IAR services, safeguards for IAR services, summary of PIA/TRA

1616

HIC/HSP Privacy and Security Obligations

• Designate a privacy contact person (HSP Privacy Officer)

• Sign the Data Sharing Agreement (DSA)

• Manage client’s consent and consent directive

• Manage privacy incidents

• Support client’s privacy rights

• Manage user accounts

• Review logs

• Manage client’s demographics in Enterprise Management Patient Index (EMPI)

• Other HSP’s general privacy obligations (i.e., publish privacy practices, data accuracy)

IAR Privacy and Security Implementation Framework

17

18

Communication ● Awareness and Training

IAR Privacy & Security Implementation Framework

Consent Management

DATA SHARING AGREEMENT (DSA)

Privacy Review

UserAccount

Management

EnterpriseMasterPatientIndex

ClientPrivacyRights

Support

AuditLog

Review

Privacy and Security Support

Incident Management

Privacy and Security Key Processes

19

Data Sharing Agreement

• Formal agreement between parties who agree to share data– Define the terms and conditions governing the data sharing– Establish the accountabilities and responsibilities with regards to

data sharing– Define the obligations and rights of each participant– Describe the PHI privacy and security requirements

• Instil trust among participants to enable the data sharing

• DSA Workshop available to explain the document in detail

• DSA is available on the CCIM website:https://www.ccim.on.ca/IAR/Private/Pages/Security%20and%20Privacy%20ToolKit.aspx

2020

Privacy and Security Process Implementation Steps

1. Analyze existing internal processes with the requirements presented and determine gaps

2. Design new process or process steps to address the gaps 3. Develop the required processes, process steps or supporting artifacts4. Implement the newly designed and developed process or steps (remember

to include training and communications to HSP staff)

STEP 1ANALYZE

STEP 2

DESIGNSTEP 3

DEVELOPSTEP 4

IMPLEMENT

2121

Incident Management

Integrated Incident Management

22

Incident Management

• What is Incident Management? The ability to provide end-to-end management of a series of events that are initiated in response to a privacy or security breach

• Integrated incident management process must be established to coordinate the incident response activities among all participating organizations, which includes:– Detection– Escalation, notification and reporting– Incident handling (containment, eradication, recovery)– Lessons learned

• The process will interface with each HSP’s incident management process and will focus on collaboration and cooperation activities

2323

Example of Incidents

• Printed patient assessment information is left in public area (e.g., coffee shop)

• Theft, loss, damage, unauthorized destruction or modification of patient records

• Inappropriate access to patient information by unauthorized users

• Out of the ordinary user activity as indicated during a regular log review

• User account and password was compromised

• Network infrastructure is attacked by hackers

• Violation of joint security and privacy policies or procedures

2424

Incident Management Assumptions

• Incident management processes exist at both health information custodian (HIC) and health information network provider (HINP) organizations

• Privacy Officer role exists at HICs and HINP

• Existing HIC level incident management process has identified incident contact person (e.g., Privacy Officer)

• Incidents can be reported through the incident contact person at the HICs

252525

Integrated Incident Management Approach

• Four phases in the integrated incident management process:– Detection– Escalation– Handling– Reporting

• The most responsible party activates internal processes to handle the incident

• The party that receives incident report escalates incident to the most responsible party

• The most responsible party updates the Incident Registry at HINP and notifies affected clients

2626

Privacy Breach Protocol

• Information & Privacy Commissioner (IPC) recommends that the HINP develop a privacy breach protocol

• The protocol enables the HINP and participating HSPs to respond quickly and in a coordinated way during a privacy breach

• Roles and responsibilities are defined

• Investigation and containment are effective and efficient

• Remediation is easy to implement

27

Incident Management Process Maps

• Incidents can be detected or reported from the following parties:

1.HIC

2.Client or third party of the HIC

3.HINP

4.Third parties (e.g., agents or service providers) of HINP

• Processes are developed based on the four parties defined above

2828

Scenario 1 — Incident Detected by HIC

HIC detected an incident, such as:

• Printed patient assessment records were lost

• User account and password were compromised

• Network at HIC was broken into by hackers (suspect IAR upload files have been accessed)

29

1.0 Incident Detected by HIC

*Shaded boxes indicate existing steps in HSPs

Integrated Incident Management Processes – 1.0

Mos

t R

espo

nsib

le

HIC

HIN

PH

ICC

lient

Incident Handling ReportingDetection Escalation

1.2Does incident involve

other HIC(s)?

1.1 Incident is detected by

the HIC

1.9Internal processes to document and handle

incident

1.10Client(s) receives

notification of breach from HIC(s)

1.3 Documents incident and sends Incident

Report to HINP

1.4 Creates incident in

Incident Registry and notifies the most responsible HIC

1.6Internal processes to document and handle

incident

1.7Sends incident

resolution to HINP

No

yes

1.8Creates/updates

incident resolution in Incident Registry

1.5 HIC initiates internal

incident handling process

Start

End

3030

Scenario 2 – Incident Reported by Client / Third Party

• A client / third party reports an incident to a participating HSP, such as:

“My ex-spouse working in your organization accessed my medical information and used it in our child custody case. Why can he / she access my medical record?”

• A third party (non-client) found printed assessment information on HSP letterhead left at local coffee shop

31

Integrated Incident Management Processes – 2.0M

ost

Res

pons

ible

H

ICH

INP

HIC

Clie

nt/3

rd P

arty

Incident HandlingEscalation ReportingDetection

2.4 Send incident report to

HINP

2.3Does incident

involves other HIC?

2.1Client or 3rd Party

reports incident to HIC

2.2 HIC reviews incident

report from client

2.10Internal processes to document and handle

incident

No

2.11Client(s) receives

notification of breach from HIC

2.6 HIC initiates internal

incident handling process

2.7Internal processes to document and handle

incident

2.8Send incident

resolution to HINP

Yes

2.9Creates/Updates

incident resolution in Incident Registry

2.5 Creates incident in

incident registry and notifies the most responsible HIC

Start

End

2.0 Incident Reported by Client / Third Party of HIC

*Shaded boxes indicate existing steps in HSPs.

3232

Scenario 3 — Incident Detected by HINP

• HINP detected an incident, such as:

– IAR backup data unaccounted for (lost or stolen)

– Potential misuse of access is identified

– Extraordinary user activity as indicated by regular review

– Data backup tape that contains server and system data is missing

33

3.0 Incident Detected by HINPIntegrated Incident Management Processes – 3.0

Mo

st r

esp

on

sib

le H

ICH

INP

Clie

nt

EscalationDetection

3.1 Incident is detected by

or reported to HINP

3.4 Internal processes to

handle Incident

Incident Handling Reporting

3.3Does incident involve

other HIC(s)?

No

3.5Updates incident

resolution in Incident Registry

3.8Internal processes to document and handle

incident

3.7HIC initiates internal

incident handling process

Yes

3.10Client(s) receives

notification of breach from HIC

3.9Sends incident

resolution to HINP

3.6 HINP notifies the most

responsible HIC

3.2 Creates Incident

Record in Incident Registry

Start

End

End

*Shaded boxes indicate existing steps in HSPs.

3434

Scenario 4 – Incident Reported by Third Party of HINP

• Third party may report an incident to HINP, such as:

– Record management service provider reports to HINP that one IAR data backup tape is missing during transit

• Data backup tape that contains server and system data is missing

35

4.0 Incident Reported by Third Party of HINPIntegrated Incident Management Processes – 4.0

3rd P

artie

sH

INP

Mos

t R

espo

nsib

le

HIC

Clie

ntDetection Escalation Incident Handling Reporting

4.13rd party reports incident to HINP

4.2HINP reviews the

incident report from 3rd party

4.4 Does incident involve other

HIC(s)?

4.8HIC initiates

internal incident handling process

4.9Internal processes to document and handle incident

4.5Internal processes to handle incident

4.6Update incident

resolution in Incident Registry

4.10Sends incident

resolution to HINP

4.7 HINP notifies the most responsible

HIC

Yes

No

4.11Client(s) receives

notification of breach from HIC

4.3 Creates incident in

incident registry

Start

End

End

*Shaded boxes indicate existing steps in HSPs.

Incident Management: Analyze

• Map and review existing (internal) incident handling and management process and supporting artifacts

– Incident handling process

– Client notification process

– Investigation, containment and recovery process

– Communication mechanism to client, staff and third parties (i.e., poster / brochure / website)

36

37

Incident Management: Design

• Review each integration point

– Detection

– Escalation

– Handling

– Reporting

• Make decision on each integration point

• Update the existing process

Integration Points and Questions

Detection How do staff, clients and third parties know who to contact if they uncover an incident?

What information is needed from the incident reporter?

What happens after the incident is reported to you or your team?

Escalation Who would communicate with HINP Privacy Officer if incident involves other HSPs?

How would you prepare incident report and information to assist incident escalation to other HSPs?

When the HINP escalates to your organization, do you or your team know what to do next?

How do you communicate this process to members of your incident handling team?

Handling Review existing incident handling process for investigation, containment and recovery

When and how do you involve the IT operations team (if needed)

Review procedure to notify client (if their PHI is breached)

Reporting Explore ways to review incident logs and gather lessons learned

38

39

Incident Management: Implement

• Internal approval of revised/new process(es)

• Provide training and awareness to all staff members in your organization (not just clinicians or IAR users)

• External communications (clients and third parties)

– Poster, brochure, corporate website, centralized e-mail box

40

Consent Management Consent Management

4141

Consent Management — Overview

• Enables client control over how their personal health information (PHI) is collected, used, disclosed and shared – Ensures compliance with PHIPA

• Consent Directive – A client’s instruction on how their Personal Health Information

can be collected, used and disclosed

• Consent Model– Informed consent– Implied and express consent– Scope of consent directive– Structure of consent form (if required)

• Consent Management Process

42

Informed Consent — Elements of Informed Consent

Clients should be informed about:

• What information about them is being collected, used and disclosed

• Why their information is being collected, use and disclosed (i.e., The purposes of the collection, use or disclosure, as the case may be (2004, c. 3, Sched. A, s. 18 (5).)

• How information is being collected, used and disclosed and with whom

• Individual’s right to give or withhold consent (2004, c. 3, Sched. A, s. 18 (5))

• The positive and negative consequences of giving, withholding or withdrawing consent

43

Implied and Express Consent Types

Implied Consent – refers to situations in which it is reasonable to infer that the client is consenting and it is not necessary to specifically (or expressly) ask for the client’s Consent.

Express Consent – refers to situations where Consent is given explicitly, either orally or in writing. Express Consent can be signed or checked off on a list.

The key is to ensure the consent obtained is valid.

44

Consent Form – Page 36 Implementation Guide

45

Sample Brochure

46

Sample Brochure

47

Sample Poster

48

Message ScriptThe collection, use, disclosure (share) of client’s assessment

We will/would like to complete the assessment with you to identify the support and service you need. The assessment will cover <<Description of Information that may be part of the assessment>>. We collect and use your personal health information during the assessment in order to provide you with services that suit your individual needs. We also use your information to coordinate service planning with other Health Service Providers in order to provide you with better service.

Sharing of client’s assessment

If you agree, your information may also be shared via an electronic sharing system with other agencies that provide services to you.

What your Consent means

Your information may only shared with other agencies with your Consent.

If you do not want to share your assessment information with other agencies, you can let me know today or inform our staff anytime in the future, and we will make sure the assessment will not be shared. We also use a centralized electronic system to share assessments among partner agencies. The electronic system stores all of your assessment from <<HSP name>> and other agencies. If you don’t want any of the assessment information shared in the electronic system, please contact the support centre, who will ensure that no one will be able to access your assessments. You should know that your consent directive will take effect in <<# number of business days>>.Optional: If you give us your consent, this may mean:

<<Positive and negative consequences for sharing the assessment>>. If you choose to withdraw your consent and not share your assessment, this may mean: <<Positive and negative consequences for not sharing the assessment>>.

Your privacy rights

You can request a copy of the assessment information in your file by contacting us. You also have the right to request a correction or amendment to your assessment information, or log a complaint if you feel that we have not addressed your privacy concern correctly.

More information or question?

If you would like to know more about how your personal health information is handled and shared with agencies, you can contact the privacy officer at the <<HSP name>>. They will help you understand what it means to share your assessment and will be able to answer your questions. Please contact our designated privacy contact at <<contact information>>.

Group Discussion• Discuss at your table what your current process is for

informed consent. – What methods do you use?

• Posters• Brochures• Face to face discussion

• What methods do we want to add or change in the future?

• What types of material would you develop to support the future method of informing?

• What do we currently tell our clients?• What will we tell our clients about IAR?

49

50

IAR Consent Model

IAR supports two levels of Consent Directive:

• HSP-level Consent Directive applied to the assessments collected by the individual HSP

• IAR-level Consent Directive applied to all assessments in IAR relating to a client

51

HSP-Level Consent Directive

• HSP will obtain consent/Consent Directive from the client and register the consent in the assessment tool– Consent Directive, along with the assessment, will be uploaded

to IAR– IAR will inherit the consent flag submitted along with the

individual assessment and automatically enforce the Consent Directive in IAR

• Alternatively, the HSP can login to the IAR consent interface to register the Consent Directive manually– Only the assessments from the HSP will be affected

HSPs need to determine whether their software can upload the consent flag, or if they will need to do this manually

5252

IAR-Level Consent Directive

• To register the IAR-level Consent Directive, the client can call the Consent Call Centre:

Regular Toll-free: 1-855-585-5279TTY Toll-Free: 1-855-973-4445

– Consent to share in the IAR means all of the client’s assessments across HSPs will be shared with participating HSPs that provide care to the client

– If consent is withheld in the IAR, all of the client’s assessments already in the IAR, and uploaded in the future, will be locked and participating HSPs will not be able to view them

• The more restrictive Consent Directive (either HSP-level or IAR-level) will be enforced

https://www.ccim.on.ca/IAR/Private/Document/IAR%20Education%20and%20Training/IAR_session_materials/IAR_Privacy_security_kickoff_and_Consent_mgt/consent_mgt/IAR%20Consent%20Call%20Centre%20Flyer.pdf

53

How Consent Works in IAR

HSP Level Consent Directive

Client

HSP-A

Assessment A1 Assessment A2

Yes Yes

HSP-B

Assessment B1 Assessment B2

No No

IAR

Assessment A1 Assessment A2

Yes Yes

Assessment B1 Assessment B2

No No

IAR Level Consent Directive - YES

IAR Level Consent Directive

Clinician

54

How Consent Works in IAR (Cont’d)

HSP Level Consent Directive

HSP-A

Assessment A1 Assessment A2

Yes Yes

HSP-B

Assessment B1 Assessment B2

No No

IAR

Assessment A1 Assessment A2

Yes Yes

Assessment B1 Assessment B2

No No

IAR Level Consent Directive - No

IAR Level Consent Directive

Clinician

IAR Consent Directive in Effect

55

HSP Assessment Consent Directive in Effect

56

Scenarios: Client Needs HSP Help

1. Client is not comfortable or not able to call the Consent Call Centre by himself / herself

2. Client does not have enough information to identify himself / herself

3. Client has a substitute decision maker (SDM) who wants to provide a Consent Directive on his / her behalf

57

Client Needs Help with Calling Consent Call Centre

• The clinician or case worker can help the client place the call to the Consent Call Centre

• If the client needs assistance navigating through the process during his / her encounter with the Consent Call Centre customer service representative (CSR), the clinician or case worker may help the client by repeating the message from the CSR or explaining what information is required

• Some basic identifying information about the clinician or case worker will be asked by the CSR to identify the client and link his / her Consent Directive to the correct assessments in IAR

• The client will still need to provide the consent to the Consent Call Centre himself / herself

58

Client Needs Help Identifying Self

• If the client does not have a Health Card Number, a fixed address or a telephone number, the client is required to place the call to the Consent Call Centre from an HSP

• The Consent Call Centre CSR will request the assistance of the clinician or case worker to help verify the identity of the client

• The client will provide the consent to the Consent Call Centre

• Some basic information about the clinician will be asked by the Consent Call Centre

59

SDM Needs Help Identifying Themselves

• If the client has a Substitute Decision Maker (SDM) providing the Consent Directive on their behalf, the SDM is required to place the call to the Consent Call Centre from an HSP — the Consent Call Centre CSR will request the assistance of the clinician or case worker to help verify the identity of the SDM

• The CSR will ask the clinician or case worker for information to validate the clinician or case worker as an authorized person from the HSP, including the clinician’s name, HSP name, HSP phone number, IAR user ID, etc.

• Once the identity of the SDM is verified through the clinician or case worker, the SDM will continue the encounter with the Consent Call Centre, and provide the client’s Consent Directive to the CSR

60

61

Integration Points

Consent Model

• Informing the client: What to say, how to say it

• Implied or express consent

• Scope of the Consent Directive

• Structure of Consent form

Consent Process

1. When to inform the client

2. When and how to obtain and update consent

3. How to record the consent directive in a central location, and who performs this activity

3. Register/Update Consent Directive

– How to register Consent Directives

– Who registers Consent Directives

4. Enforcing Consent Directive

– How to effectively enforce the Consent Directive

62

ClientPrivacyRights

Support

Client Privacy Rights Support

63

Client Privacy Rights Support Process

• Integrated client privacy support process (service desk) to fulfill Health Information Custodian’s (HIC) privacy obligation to: – Provide access to their Personal Health Information (PHI)

upon client’s request– Make correction to PHI upon client’s request– Handle client’s challenge concerning compliance with privacy

legislation

• The process will interface with each HSP’s existing process and will focus on collaboration and cooperation activities

6464

Approach

• If the request to access or change the assessment or the complaint relates solely to information in the custody or control of a single HIC, local processes are used

• If the request to access or change the assessment involves other HICs, the HIC identifies the other involved HICs for the client

• If the complaint involves more than one HIC, the HINP identifies the most responsible HIC to handle the response

65

Client Privacy Rights Support Assumptions

• Each HIC has in place policies and procedures to support client privacy rights

• HICs only release and correct information within their custody or control

• HINP will only participate or coordinate the privacy complaint management process

• IAR is a repository of information that originates from multiple HICs and is not considered the source of truth for that information

66

1.0 – Request a Copy of Assessment

*Shaded boxes indicate existing steps in HSPs.

Client Privacy Support Processes – 1.0H

ICC

lient

EscalationRequest for Assessment

1.1Requests copy of

assessment

1.2 Initiate process to

review request

1.4Initiate process to

handle and respondto the request

Handling Reporting

1.3Does it involvedata from other

HICs?

1.5Client receives

response

Yes

1.6Redirects client to appropriate HIC

1.7Client receives

redirection instructions

Start End

No

67

2.0 – Request a Correction to Assessment

*Shaded boxes indicate existing steps in HSPs.

Client Privacy Support Processes – 2.0H

ICC

lient

Yes

2.5Client receives

response

2.2 Initiate process to

review change request

No

Reporting

2.1Requests correction or

modification to Assessment

Handling

2.7Client receives

redirection instructions

2.3Does it involvedata from other

HICs?

2.4Initiate process to

handle and respondto the request

Client request HIC to modify / correct Assessment

Start

Escalation

2.6Redirect Client to appropriate HIC

End

68

3.0 – File a Complaint With the HIC

*Shaded boxes indicate existing steps in HSPs.

Client Privacy Support Processes – 3.0M

ost

R

esp

on

sib

le

HIC

HIN

PH

ICC

lien

tHandlingEscalationClient IAR related complaint Reporting

3.1 Client files IAR related

complaint with HIC

3.2 Initiates process to

receive request

Yes

3.5Notifies HINP of

complaint

3.3Involve other

HICs?

3.6Records complaint in

log

3.10Handles and responds

to complaint

3.4Internal process to

handle and respondto the request

3.14Client receives

response

3.12Updates Complaint

Log

No

3.9Initiates handling of

complaint

3.11Notifies HINP of end

result

3.8Sends instruction and documentation to most

responsible HIC

3.7Facilitates the

response among HICs

3.13Notifies original

receiver of complaint of the end result

Start End

End

69

Client Privacy Rights Support: Analyze

• Map and review existing Client Privacy Right Support process and supporting artifacts– Client Request Form– Patient Privacy Right Complaint Form– Patient Privacy Right Complaint Report

• Review each integration point– Determine if request to view / access / change involves other

HSPs– Standard re-direct letter / form template to respond to client– Keep Privacy Officer contact list handy for response to client– Determine if the filed complaint involves other HSPs– Establish a communication mechanism with the HINP for

escalation of privacy complaint• Make decision on each integration point on the next slide• Update the existing process

70

Client Privacy Rights Support: Design

71

Design Integration Points

• Client requests a copy of an assessment– How do you use IAR to determine if the request involves other

assessments from HSPs?– Redirect client to make request to other HSPs – make use of

the provided form template

• Client requests change to assessment– Use IAR to determine if request involves other HSPs– Review process of consulting with staff if changes can be

made or not– Use form template to respond to client

• Client files privacy complaint– Who reviews complaint and determines if other HSPs are

involved?– Review communication mechanism with HINP to escalate the

privacy complaint that involves other HSPs

Client Privacy Rights Support: Develop

• Review the samples provided • Determine if you will update your existing materials:

– Process maps

– Client Request form, if needed

– Client Request Response form, if needed

– Patient Privacy Right Complaint form, if needed

– Patient Privacy Right Complaint report, if needed

72

73

Client Privacy Rights Support: Implement

• Approve the process by senior management• Communicate the process with all staff• Provide training and awareness to your clinical staff or

health record personnel• Establish a communication mechanism with the HINP

(email or phone call)

74

UserAccount

ManagementUser Account Management

75

User Account Management

• User account management process must be established to ensure only authorized users with business need can access the IAR:

– Users within each organization can access IAR systems only for the purpose of providing health care

– User account request has to be reviewed and approved

– User account must be disabled immediately when user leaves the organization

767676

User Account Management: Approach

• User Account Management is centralized

• IAR Support Centre at CCIM acts as the single point of contact for all HSPs participating in IAR

• HINP is responsible for all user account administration activities (creation, update, change and removal)

• Each HSP is asked to identify and submit the name of its user authority and user coordinator to CCIM

77

HSP User Account Management Responsibilities

• Each participating organization has a designated person to authorize user access to IAR called a User Authority (UA)

– A UA should be someone in management or someone who has knowledge of who should use IAR

• Each participating organization has a designated contact person for day-to-day user account management activities called a User Coordinator (UC)

– A UC is responsible for liaising with the Support Centre for modification or update of user details, and removal of user account when user no longer requires access

7878

User Responsibilities

• Every IAR user has to be authorized by an HSP

• Every IAR user must read the IAR User Agreement before receiving a user account (HSP responsibility)

• Every IAR user has to read and accept the IAR User Agreement before access (on screen, upon login)

• User accounts are disabled immediately when users no longer require access

7979

User Account Management Process Maps

HSP can:

1. Request a new user account to access IAR

2. Request a change or update of user account information (e.g., phone number, location, email, etc.)

3. Request to remove one or multiple user accounts (e.g., user left organization, user no longer has IAR access)

Processes are developed based on these three scenarios

80

1.0 Creation of New Users

1.0 User Account Management – Creation of New UsersIA

R S

up

po

rt

Ce

ntr

eH

INP

HS

P

1.4 User Coordinator (UC) sends request to

create User Account

1.1 Manager completes User

Account Request form

1.2 User accepts IAR User

Agreement

1.3 User Authority (UA) authorizes User Account

request

1.10 New user logs in to IAR and changes password

1.5 Reviews User Account request and sends ticket

to HINP

1.9 UC informs user of new IAR username and

password

1.6 Validates UA authorization and

creates User Account in IAR

1.7 Updates ticket for Support Centre

1.8 Sends username and

password to HSP UC

Start

1.11 Updates and closes the ticket

End

81

2.0 Request to Change

2.0 User Account Management - Modification of user detailsH

INP

IAR

Sup

port

C

entr

eH

SP

2.7 Informs UC the change is

completed

2.4 Reviews user account change

request and sends ticket to HINP

2.5 Validate UC authorization and

modifies User Account in IAR

2.8 UC informs user change in user account is

completed

2.6 Update ticket for Support Centre

2.3 UC sends change request to

CCIM Support Desk

2.2 UC reviews and signs off on

account modification form

2.1 User or user’s manager requests

change of user information

Start

End

2.9 Updates and closes the ticket

82

3.0 Removal of Users3.0 User Account Management – Removal of User Accounts

HIN

PIA

R S

uppo

rt C

entre

HS

P

3.1 UC completes user account

removal form and sends to CCIM Support Desk

3.6 UC informs manager user

account is removed

3.5 Informs UC user account

removal is completed

3.4 Updates ticket for Support Centre

3.3 Validates UC authorization and

deletes User Account in IAR

3.2 Reviews user account removal

request and sends ticket to HINP

Start End

3.7 Updates and closes the ticket

83

User Account Management: Analyze

• Map and review existing User Account Management process– How are current IT user accounts being provisioned?– Are there any existing process you can leverage?– Who initiates user account creation/change/removal?– Who authorizes user account creation?– Who authorizes user account change or removal?

84

User Account Management: Design Integration Points

• Creating new user account after implementation (non-bulk)

• Changing user details, such as phone number, work locations, or name

• Remove user account when user no longer requires IAR access (e.g., due to change of job function or departure from the organization)

User Account Management: Develop

• Obtain decisions on each integration point – Who is to be the User Authority?– Who is to be the User Coordinator?– Do you need multiple UAs and/or UCs?

• Get your Executive Lead to appoint the UA and UC• Update the existing IT account provision process

(if needed)

85

86

User Account Management: Implement

• Approve the process by senior management• Communicate the process with all staff• Provide training and awareness to the User Authority

(UA) and User Coordinator (UC), and perhaps all IAR users

87

AuditLog

ReviewAudit Log Review

88

Audit Log Review

• PHIPA requires access to PHI be on a need-to-know basis

• Organizations must have controls in place that regulate access and also log activity and procedures to regularly review logs and user access activity

• Audit logs and reports play an important role in access review process and breach investigations. Log review process must be established to identify any privacy breach and security incident

• HIC: Organizational level privacy logs should be reviewed by Local Privacy Officer regularly, depending on the volume and perceived risk level, to detect unauthorized access to PHI

• HINP: Global privacy logs should be reviewed for investigation purpose only by HINP Privacy Officer (e.g., if an incident occurs and HINP needs to perform investigation) Security Event Log should be reviewed daily to once a week by HINP Administrator to detect error or security incidents

89

Audit Log Review Guidelines

• Audit log review is conducted at the HSP and HINP

– HSP Privacy Officer reviews local audit logs and reports for potential incidents

• HINP is involved if the log review at the HSP uncovers incident requiring HINP to assist in the investigation

• HINP Privacy Officer reviews audit logs for potential incidents that affect IAR and the HINP IT infrastructure

– HINP communicates to HSP if an incident is uncovered at the HINP that affects other HSPs (*This triggers Integrated Incident Management process)

90

Audit Log Review Guidelines

• Establish review schedule and routine

• Understand user activity baseline

• Look for out-of-ordinary activities and events:– Unauthorized access– Excessive client searches– Excessive assessment searches

• Investigations– User ID-based– Client/Patient ID-based

91

Operational Reports

• OP1 – List of IAR Users• OP2 – List of IAR Organizations

92

OP1 – List of IAR Users

93

OP2 — List of IAR Organizations

94

Privacy Reports• PS1 – IAR User Activity Report • PS2 – IAR Event Type Report • PS3 - IAR Consent Directives History Report• PS4 - IAR Current Consent Directive Report • PS5 – IAR User PHI Access Report• PS6 – IAR PHI Disclosure Report• PS7 – Assessment Disclosure Query

95

PS1 – User Activity Report

96

PS2 – Event Type Report

PS3 – IAR Consent Directives History Report

97

98

PS4 – IAR Current Consent Directive Report

99

PS5 – User PHI Access Report

100

PS6 – IAR PHI Disclosure Report

101

PS7 – Assessment Disclosure Report

102

Report Format

103

Report in CSV Format

CSV formatted files can be imported into Excel for further analysis and formatting

104

Privacy ReviewPrivacy Review

105

Privacy Operations Review

• Privacy review is defined in the Data Sharing Agreement

• All HSPs should conduct privacy and security self-assessment on a regular basis, which will assess the effectiveness and efficiency of the privacy operations to ensure continued compliance with the DSA

• The self-assessment should be conducted based on a checklist agreed by all HSPs, to ensure consistency and comparability of the result

• The results of the self-assessment shall be signed off by the HSP’s senior management and submitted to the Privacy and Security Committee for review

• Privacy and Security Sub-Committee reviews gaps and mitigation plans from HSPs

• HINP follows up on progress of mitigation plans from HSPs

106

Self-Assessment Checklists

Sections

1. General Governance and Operations

2. Consent Management

3. Audit Log Review

4. Client Privacy Right Support

5. Integrated Incident Management

6. User Account Management

107

Integration Points

• Identify who is accountable for signing off on the self-assessment report

• Identify who is responsible for performing the self-assessment and conducting the review

• Identify if there is a need to involve different individuals when conducting the different area or section of the review

108

109

Enterprise Master Patient Index (EMPI)

Enterprise MasterPatientIndex

110

EMPI Overview

• EMPI is an Enterprise Master Person Index that uniquely identifies a person across multiple sources (HSPs)

• EMPI creates a unique enterprise identifier (EID) for any single client

– EMPI establishes and maintains a mapping between the EID and the client’s identifier used inside each of the participating HSPs

• EMPI operations ensure the accuracy, completeness and “up-to-date-ness” of a client’s demographics to uniquely identify a person across multiple sources (HSPs)

• Define the processes to identify, escalate, resolve issues related to client’s demographic information

111

How Matching Is Done

• The EMPI compares demographic data from each assessment and creates matches based on an algorithm and established thresholds

• Demographic information used includes:– First Name

– Last Name

– Date of Birth

– Gender

– Telephone Number

– Address

– Health Card Number

• Better matches are reached when using a Health Card Number

112

Health Records Lead Role

• Designated by the Executive Lead

• Helps resolve EMPI data element issues:

– Potential linkage

– Potential duplicate

– Potential overlay

• Interacts with the EMPI Data Steward (EDS) at Consolidated Health Information Services (CHIS) – the EMPI HINP

• Liaises with clinicians, health record personnel, and/or Privacy Officer and facilitates resolution to data element issues

113

Typical EMPI Questions

• Potential Linkage – record for the same person from a different source

• Potential Duplicate – duplicate record for same person in same source

• Potential Overlay – same record with different person (NOTE: no records can be viewed from IAR until an overlay issue is

resolved)

114

EMPI Process Summary

• EMPI Data Steward notifies HSP of data quality issues or errors identified from EMPI regarding client demographic information

• HSPs evaluate, investigate and resolve the identified data quality issues or data errors

• HSPs resubmit assessments if issues are identified and corrected

• EMPI Data Steward and CCIM Support to work with HSPs to resolve major demographic data quality issues or data errors

Communication, Awareness and Training, and Next Steps

116

Communication

• HSPs need to raise key stakeholders’ awareness and support of the privacy and security of IAR

• HSPs need to obtain the support for the privacy and security implementation

• HSPs need to ensure timely, consistent, clear and coordinated messages

• CCIM will support the HSPs in their communication activities through the development of tools and materials

117

Awareness and Training

• HSPs need to raise the staff’s awareness of the privacy and security of IAR

• HSPs need to provide training on the privacy processes to the staff who participate in the privacy management activities, such as consent management, breach management, etc.

• CCIM will support HSPs in their awareness and training activities through the development of training tools and materials

– https://www.ccim.on.ca/Pages/sp_elearning.aspx

Next Steps

• Review and implement privacy and security processes to support IAR

• Complete the required forms and send to CCIM

• Attend the DSA Workshop if you have not already, get the DSA signed, and send it to CCIM

• Check out the Common Privacy Framework

https://www.ccim.on.ca/IAR/Private/Document/IAR%20Privacy%20and%20Security/Common%20Privacy%20Framework/Consent_Management_Implementation_guide_v1.1_20110602_CPF.pdf

118

119

Support Centre

Monday to Friday

Email

1.866.909.5600 option 88:30 am ― 4:30 pm

iar@ccim.on.ca

Thank You!

120